AWS for SAP

Streamline SAP Operation with CloudWatch MCP server and Amazon Q CLI – Part 3

Introduction

In today’s complex SAP environments, efficient operations and rapid troubleshooting are critical for business continuity. Building on our previous discussions of SAP observability (part-1) and Amazon CloudWatch Application Insights capabilites (part-2), this third installment introduces a powerful combination of tools that revolutionizes how teams manage SAP landscapes: Amazon CloudWatch Model Context Protocol (MCP) Server and Amazon Q for command line (Q CLI).
This innovative solution addresses three key challenges in SAP operations:

  • Complex command syntax that slows down operational tasks
  • Time-consuming root cause analysis requiring multiple tools and contexts
  • The need for streamlined health monitoring and reporting

In this blog we will:

  • Explore how CloudWatch MCP Server and Q CLI work together to simplify SAP operations
  • Demonstrate practical use cases for creating automated health reports
  • Show how natural language commands can streamline routine maintenance tasks
  • Illustrate the solution’s alignment with AWS Well-Architected Framework for SAP

The fourth part of our series will focus on maintenance planning, advanced root cause analysis, and detailed cost considerations for implementing this solution.
Figure 1. Architecture Diagram for Amazon CloudWatch MCP Server and Amazon Q for CLI

Figure 1. Architecture Diagram for Amazon CloudWatch MCP Server and Amazon Q for CLI

What is Amazon Q for CLI (Q CLI) ?

Amazon Q CLI delivers transformative value to AWS customers by integrating AI assistance directly into command line workflows. It empowers users to express commands in natural language, which Q then translates into proper CLI syntax, shortening the learning curve. The tool provides contextual command suggestions based on user intent, eliminating time-consuming documentation searches. When errors occur, Q offers clear explanations and remediation steps, accelerating troubleshooting.
It breaks down commands into understandable components, enhancing comprehension and skill development. By keeping users within their terminal environment, Q optimizes workflow by eliminating disruptive context switching to external resources.
This productivity enhancement reduces time spent searching for syntax examples and troubleshooting issues, allowing developers to focus on building rather than spending time with command structure. The interactive nature of Q accelerates the learning process, helping users become proficient with AWS CLI more rapidly. Ultimately, Amazon Q CLI transforms the command line experience from a potential barrier to an intuitive interface, making AWS services more accessible and efficient for customers of all expertise levels.

Figure 2. Amazon Q CLI prompt

Figure 2. Amazon Q CLI prompt

What is Amazon CloudWatch Model Context Protocol (MCP) Server ?

Model Context Protocol (MCP) is an open-source standard revolutionizing how developer tools communicate with AI models. By providing structured context about code, files, and projects, MCP enables AI assistants to deliver precisely tailored suggestions. The protocol includes practical implementations like the CloudWatch MCP server, which integrates CloudWatch metrics and logs directly into the development environment. This integration allows developers to troubleshoot and monitor applications without leaving their Integrated Development Environment (IDE), streamlining operations workflows.
The AWS Labs CloudWatch MCP Server bridges the gap between AI troubleshooting agents and operational data. This integration enables AI-powered root cause analysis and recommendations. It uses CloudWatch telemetry without needing custom API integrations.
The server features four specialized tools addressing operational needs:

  1. Alarm Based Troubleshooting identifies active alarms and analyzes historical patterns to determine root causes with context-aware remediation recommendations
  2. Log Analyzer examines CloudWatch log groups for anomalies and error patterns within specified timeframes
  3. Metric Definition Analyzer provides descriptions of metrics, including calculation methods and recommended statistics
  4. Alarm Recommendations suggests optimal alarm configurations with appropriate thresholds and evaluation periods.

What are Tools in CloudWatch MCP Server ?

When user enters a prompt using natural language in Q CLI, CloudWatch MCP server tools are invoked to interact with AWS services to perform the work. We will highlight these tools and AWS services invoked for SAP use-cases in the blog. You can start Q from your client by typing ‘q’ and use /tools and /mcp to view the list of tools available and MCP servers loaded in your environment.

Figure 3. Q CLI Server Tools loaded in your client session

Figure 3. CLI Server Tools loaded in your client session

Figure 4. CloudWatch MCP server loaded in your client session

Figure 4. CloudWatch MCP server loaded in your client session

How does this solution align with Well-Architected Framework for SAP Lens ?

Streamlined SAP Operations: Q CLI transforms SAP operational procedures by allowing engineers to use natural language for AWS operations supporting SAP workloads. This aligns with the SAP Lens emphasis on automation and reducing manual effort in managing mission-critical business systems, as CLI commands for SAP infrastructure can be generated through simple conversational requests.
Accelerated SAP Troubleshooting: The combination reduces mean time to resolution for SAP incidents by providing contextual monitoring data and AI-assisted analysis of SAP components, supporting rapid recovery from business-critical failures that impact operations.
Integrated SAP Observability: It eliminates context switching by consolidating SAP-specific metrics, logs, and alarms directly into client environments, supporting end-to-end monitoring across complex SAP landscapes. This integration enables teams to observe SAP system behavior without workflow disruption.
SAP Change Impact Analysis: It helps teams understand how changes affect SAP system stability by providing immediate feedback on operational metrics across the SAP technology stack.
SAP Resilience Verification: The tools simplify monitoring of SAP recovery mechanisms and fault isolation boundaries across distributed SAP landscapes, as well as testing reliability of business-critical processes and transactions.
SAP Architecture Insights: Q CLI can explain relationships between AWS services and SAP applications based on CloudWatch data, helping your team to gain insights their SAP architecture’s reliability.
SAP Knowledge Democratization: It helps organizations “operate SAP using code”. Q CLI’s ability to explain command lines enable your team to operate effectively on SAP Landscape with adequate information to make data driven decision.

Pre-requisites

  1. Deploy SAP S/4 HANA system with HA using AWS Launch Wizard for SAP
  2. Enable SAP full-stack observability as per Amazon CloudWatch Application Insights for SAP
  3. Install Amazon Q CLI by following steps in Installing Amazon Q for command line
  4. Configure CloudWatch MCP Server on your PC by following steps in AWS Labs CloudWatch MCP repository
  5. Configure AWS CLI on your PC by following steps in configuration settings for the AWS CLI

The access of the solution is secured with AWS Identity and Access Management (IAM), also consider the Q CLI Security considerations and best practices, as well as Security best practices for Systems Manager. Follow least-privilege access model for SAP Basis and AWS Infrastructure Engineer.

Use-case 1: Create Health Reports for SAP

This use case will generate health report for SAP HANA database, and ABAP SAP Central Services (SAP ASCS) cluster. Q CLI creates contextual command lines to discover Amazon EC2 instances to create Health Report. In this scenario, Q CLI runs multiple commands to check SAP Central Services status and produce a complete health report:

  1. Prompt to generate health status of the SAP cluster
  2. Run aws ec2 describe-instances that are part of the cluster
  3. Run ssm command crm_mon to check the status of the cluster nodes
  4. Run ssm command to check pacemaker.log
  5. Run ssm command to check corosync.log
  6. Run ssm command to check corosync.log

Important note: The prompts and responses below are shortened, you can download this Use-case 1- Create Health Reports for SAP to look at the complete prompt and response from Q CLI.

Prompt: Generate a health report for SAP HANA database, database cluster, and HSR.


> generate a health report for SAP Hana database, database cluster and HSR  

> # SAP HANA Health Report

## Executive Summary
Based on the analysis of CloudWatch logs for the SAP HANA system in the SAPDemo environment, the overall health status is GOOD. The SAP HANA database, cluster infrastructure, and HANA System Replication (HSR) are
all functioning properly after recovering from replication issues that occurred on July 11-12, 2025.

……


## Conclusion

The SAP HANA database, cluster infrastructure, and HSR are currently healthy and functioning as expected. The system has demonstrated resilience by recovering from previous replication issues. Regular monitoring 
and proactive maintenance are recommended to maintain system stability and performance.

Prompt: What is the current status of SAP ASCS ERS cluster nodes for sap application SAPDemo.


> what is the current status of SAP ASCS ERS cluster nodes for sap application SAPDemo. 

> I'll check the current status of the SAP ASCS and ERS cluster nodes for the SAPDemo SAP application.


🛠️  Using tool: execute_bash (trusted)
 ⋮ 
 ● I will run the following shell command: 
aws ec2 describe-instances --filters "Name=tag:Name,Values=*SAP-FIS-CS*" --query "Reservations[*].Instances[*].[InstanceId,Tags[?Key=='Name'].Value|[0],State.Name,InstanceType,PrivateIpAddress]" --output table
 ⋮ 
 ↳ Purpose: Checking EC2 instances that are part of the SAP *SAPDemocluster

-------------------------------------------------------------------------------------------
|                                    DescribeInstances                                    |
+----------------------+-------------------------+----------+-------------+---------------+
|  i-064751ba1b4c8340f |  SAP-FIS-CS-sapclnode2  |  running |  c5a.xlarge |  10.0.155.180 |
|  i-0e08f883d5c3b3747 |  SAP-FIS-CS-sapclnode1  |  running |  c5a.xlarge |  10.0.134.80  |
+----------------------+-------------------------+----------+-------------+---------------+

 ⋮ 
 ● Completed in 1.737s


……

## Conclusion
The SAP ASCS/ERS cluster for the *SAPDemo application is functioning properly with the expected resource distribution:
• ASCS (Central Services) is active on sapclnode2
• ERS (Enqueue Replication Server) is active on sapclnode1
• Both nodes are online and healthy
• The cluster has quorum and is properly configured for high availability

This is the expected configuration for an SAP high-availability setup, where ASCS and ERS run on separate nodes to ensure enqueue replication functionality in case of a node failure. The cluster is operating 
normally and no immediate action is required.

For complex operations, Q CLI guides multi-step procedures while MCP provides real-time feedback on system state.

Use-case 2: Simplify SAP Operations

The following use case is to maintain SAP Application Servers. Q CLI streamlines daily SAP management by generating runbooks for routine maintenance tasks. SAP BASIS administrators can use Q CLI to manage administrative tasks while monitoring system status in real-time through CloudWatch MCP server during maintenance windows. In this scenario, QCLI created task lists as follows:

  1. Prompt to check on the status of App Server
    1. Run aws ec2 describe-instances to check for the SAP application server
    2. Run ssm command ps to check on SAP dispatcher and dialog process
    3. Run ssm command sapcontrol to get the system status
    4. Summarize that the SAP application server is stopped
  2. After prompt to start the SAP application server
    1. Run ssm command sapcontrol to start the SAP application server
    2. Run ssm command sapcontrol to check the status of the Processes
    3. Run ssm command ps to check on SAP dialog process
    4. Run ssm command sapcontrol to get the system status
    5. Summarize that the SAP application server is started

Important note: The prompts and responses below are shortened, you can download this Use-case 2- Simplify SAP Operations to look at the complete prompt and response from Q CLI.

Prompt: Get status of sap in application server sapbaseaas1. Do not start the server, only report on current status of SAP process.


> get status of sap in application server sapbaseaas1. Do not start the server, Only report on current status of SAP process.

> I'll check the current status of SAP processes on the application server sapbaseaas1 without starting the server.


🛠️  Using tool: execute_bash (trusted)
 ⋮ 
 ● I will run the following shell command: 
aws ec2 describe-instances --filters "Name=tag:Name,Values=*sapbaseaas1*" --query "Reservations[*].Instances[*].[InstanceId,Tags[?Key=='Name'].Value|[0],State.Name,PrivateIpAddress]" --output table
 ⋮ 
 ↳ Purpose: Finding the instance ID for sapbaseaas1

..

> Now I'll check the current status of the SAP processes on the running sapbaseaas1 server:

……..

## Conclusion
The SAP application server sapbaseaas1 is currently stopped. While the EC2 instance itself is running and the SAP support processes are active, the actual SAP application instance (dialog instance) is not running.
No work processes are active, and the instance is showing as GRAY in the system status. The instance would need to be started to become operational and process SAP transactions.

In the next scenario, SAP BASIS administrator will ask Amazon Q from CLI to start an SAP application server, related SAP service, and report on status of SAP application. Q CLI execute_bash tool runs 8 SSM commands to fulfill the request.

Prompt: Start SAP on the SAP application server sapbaseaas1.


> start SAP on the SAP application server sapbaseaas1

> I'll start the SAP application on the sapbaseaas1 server.


🛠️  Using tool: execute_bash (trusted)
 ⋮ 
 ● I will run the following shell command: 
aws ssm send-command --instance-ids i-0539ecbaf407c4886 --document-name "AWS-RunShellScript" --parameters 'commands=["sudo su - ecdadm -c \"sapcontrol -nr 00 -function Start\""]' --output json
 ⋮ 
 ↳ Purpose: Starting SAP instance on sapbaseaas1

..


> Now let's check if the SAP instance has started successfully:

……..

## Conclusion
The SAP application server sapbaseaas1 is now fully operational. All required processes are running, and the instance is properly integrated with the SAP system. The instance is ready to handle user workloads and
process SAP transactions.

Conclusion

CloudWatch MCP Server delivers unified visibility across the entire SAP landscape in client environments. It consolidates SAP application logs, SAP HANA metrics, and AWS EC2 performance data. The system automatically correlates metrics across SAP components. Q CLI complements this by enabling natural language interaction with this rich dataset, allowing teams to easily generate system logs and simplify SAP system operations. It is well aligned with AWS Well-Architected Frameworks to help you boost productivity of running and maintaining your SAP Systems Landscape.
In subsequent blog, we will discuss on how you can leverage CloudWatch MCP Server and Q CLI to plan maintenance events and accelerate root cause analysis for SAP as well as diving deep into the cost consideration of the solution.
As next step, try out this solution, you can achieve at least 6 times more productivity with this solution. Stay tune to our upcoming innovation around more Amazon CloudWatch, AWS Model Context Protocol Servers and Amazon Q for command line.

Join the SAP on AWS Discussion

In addition to your customer account team and AWS Support channels, we have recently launched re:Post – A Reimagined Q&A Experience for the AWS Community. Our AWS for SAP Solution Architecture team regularly monitor the AWS for SAP topic for discussion and questions that could be answered to assist our customers and partners. If your question is not support-related, consider joining the discussion over at re:Post and adding to the community knowledge base.

Credits

I would like to thank the following team members for their contributions: Sreenath Middhi, and Adam Hill.